He Hacks by Day, Squats by Night

Noah Shachtman
03.06.02

Last May, Adrian Lamo (left) informed Excite@Home executives that he'd found a leak in their supposedly airtight company network. What the 20 year-old hacker didn't say was that he had been sleeping in an abandoned building underneath Philadelphia's Ben Franklin Bridge when he discovered the breach.

NEW YORK -- Last January, Adrian Lamo awoke in the abandoned building near Philadelphia's Ben Franklin Bridge where he'd been squatting, went to a public computer with an Internet connection, and found a leak in the Excite@Home's supposedly airtight company network.

Just another day in the life of a young man who may be the world's most famous homeless hacker.

More than a year later, Lamo is becoming widely known in hacker circles for tiptoeing into the networks of companies like Yahoo and WorldCom -- and then telling the corporate guys how he got there.

Administrators at several of the companies he's hacked have called Lamo brilliant and "helpful" for helping fix these gaps in network defenses.

Critics blast Lamo as a charlatan who preens for the spotlight.

"(Is) anyone impressed with Lamo's skills(?) He is not doing anything particularly amazing. He has not found some new security concept. He is just looking for basic holes," wrote one poster to the SecurityFocus website.

To such barbs, Oxblood Ruffian, a veteran of the hacker group Cult of the Dead Cow, replied, "It's like dancing. Anyone can dance. But not many people can dance like Michael Jackson."

Lamo's latest move: using a back door in The New York Times' intranet to snag the home phone numbers of over 3,000 Op-Ed contributors, including Vint Cerf, Warren Beatty and Rush Limbaugh.

Although Lamo (pronounced LAHM-oh) did nothing more mischievous with the information than include himself in its roster of experts, the Times is considering pressing charges, according to spokeswoman Christine Mohan. Hacking is a federal crime, currently punishable by five years in jail.

Prison would be an ironic twist for Lamo -- it'd be the first time in years he would have a steady place to stay.

Living out of a backpack, getting online from university libraries and Kinko's laptop stations, the slightly built, boyish Lamo wanders the country's coasts by Amtrak and Greyhound bus.

"I have a laptop in Pittsburgh, a change of clothes in D.C. It kind of redefines the term multi-jurisdictional," Lamo said with a mild stutter. "It'll be hard to get warrants for it all."

He spends most of his nights on friends' couches. But when hospitality wears thin, he takes shelter in city skeletons -- like the crumbling Philadelphia restaurant supply shop, or the old officers' quarters at the Presidio in San Francisco.

Lamo said he found his way into the colonial-era military complex by randomly trying doorknobs until he found one that rattled.

It's a pretty good metaphor, he adds, for how he hacks.

Company networks use proxy software to let internal employees out to the public Internet. It's a one-way door, essentially. But if proxy servers aren't configured correctly, these doors can swing both ways, allowing outsiders in through the corporate firewall, said Chris Wyspoal, an executive with security firm @Stake.

Lamo peeks around for these swinging doors and lets himself in with widely used hacker tools.

It's not technically complex at all. Lamo found an open proxy on The New York Times' network in less than two minutes.

So it's understandable that many who consider themselves black belts in the computer arts regard Lamo's notoriety with more than a bit of skepticism.

A poster to SecurityFocus' site complains, "The only thing 'hacked' here is the media."

"The only way to get a publicly traded company to recognize that they're acting retarded is to kick 'em in the nuts. And you do that through the media," wrote Ira Wing, 29, who's been one of Lamo's closest confidants since the mid-1990s when the two met at PlanetOut, the gay and lesbian media firm where Wing worked and Lamo volunteered.

Lamo had long tried to point out security flaws to corporate network administrators, Wing said. But even after his first well-publicized intrusion -- a late-2000 pilfering of AOL instant messenger accounts -- the suits weren't about to pay attention to some hacker kid who didn't even have a high school diploma.

Despite his good intentions, Lamo may still go to jail for what he's doing.

"Strictly speaking, he is a criminal. The law doesn't take into account motivation," security consultant Winn Schwartau said.

Lamo answered, "If (the government) were to decide to indict (me), I'd rather everything be on the up and up -- inasmuch as you can be on the up and up when you're committing a federal crime."

For example, Lamo insists that unlike so many others in his trade, he won't take money from the companies he's hacked.

"When I was thirsty during Excite@Home, they bought me a 50-cent bottle of water," he said. "That's the most I got."

Instead, he relies on a small savings he amassed from stints doing security work for Levi Strauss and for Bay Area nonprofits, where his cubicle or the office elevator would often serve as the night's lodgings. He picks up money, occasionally, from short-term freelance security gigs. And, of course, there are the emergency handouts from his parents, Mario Lamo and Mary Atwood.

Lamo's parents moved often during his formative years, to Arlington, Virginia, to Mario's native Bogota, Colombia, and then to San Francisco. When they decided to move to Sacramento when Adrian was 17, the teen elected to stay in the city and live on his own.

Despite such grown-up pressures, friends say Lamo is still a kid in many ways. Childhood cloak-and-dagger fantasies of "paying 'salaries' of lunch goodies" to spy on youthful nemeses are now acted out online, according to Stephen Whiters-Ridley, a friend since elementary school.

Cyberpunk fiction, like Neal Stephenson's Snow Crash, seems to serve as a model for real-life action. Lamo is "a strange amalgam of Robin Hood and console cowboy," Whiters-Ridley wrote in an instant message. "(He's) the wandering samurai, Mad Max, (the) hacker with a heart of gold."

Lamo recently posted to a Usenet group, "If I didn't have computers, I'd be exploring storm drains or mountain caves. Hell, I do, when I don't have a line to the Net. There have been times my laptop has been the only dry thing I owned."

But his adventures -- picking through the trash of tech firms ("we considered stealing a CSC [Computer Science Corporation] flag ... but decided against it," a co-conspirator said) or climbing to the roof of Philadelphia's 30th Street Station -- may be starting to wear thin.

The heat is coming from a growing chorus of critics and a federal investigation Lamo feels is almost certain to come.

"My lifestyle takes a toll on anyone I interact with," Lamo said.

Reluctantly, he recalled a recent date when he suggested exploring the ruins of San Francisco's old Sutro Baths instead of dinner or a movie. A breakup e-mail followed the next day.

"I've had a long day, a long month, and a long year," he said at the end of a pre-dawn chat.

He follows that with an instant message: "Dream of a warm and safe place."